Unencrypted GoPro updates leave users vulnerable to attack

Unencrypted GoPro updates leave users vulnerable to attack

A vulnerability in the playback and editing tool for GoPro Studio leaves user data susceptible to attack by making update requests over the open web using unencrypted HTTP connections researchers at Pentest Partners recently discovered, according to a report in Forbes.

The company also sends the updates themselves to users as unencrypted traffic. An attacker using the same network, such as a public WiFi connection, could intercept an update request and in response promise to deliver a higher version, even if new updates weren't actually available. The victim's software recognises the response and allows the victim to download the phony update, potentially exposing all data to malware.

Ken Munro, partner at Pentest Partners, told Forbes that unencrypted updates are common across applications and that all firms should look to ensure that their updates are protected.

SC Media UK arms cyber-security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.